Fergie's Tech Blog

Saturday, April 19, 2008

U.S. Toll in Iraq

As of Saturday, April 19, 2008, at least 4,039 members of the U.S. military have died since the beginning of the Iraq war in March 2003, according to an Associated Press count. The figure includes eight military civilians. At least 3,295 died as a result of hostile action, according to the military's numbers.

The AP count is the same as the Defense Department's tally, last updated Friday at 10 a.m. EDT.

ICANN GNSO Votes to Kill Domain Tasting

In January, the ICANN board voted to make their 20 cent per domain fee non-refundable, effective probably in the next budget year which would be 2009. That would deter the highest volume tasters but as other people have pointed out, it wouldn't have much effect against front running if the 20 cent fee might lock in a $30 registration and a $100 hosting package.

The ICANN Generic Names Supporting Organization has had tasting on its agenda since last fall, with a staff report issued in January, and a proposed anti-tasting policy written in March. On Thursday the 17th, the GNSO put the proposed policy to a vote, and it passed overwhelmingly. Under ICANN rules, the ICANN board has to take up the resolution at its next meeting, and since it was approved by a supermajority, it becomes ICANN policy unless 2/3 of the board votes against it, which in this case is unlikely. So unless the board ignores its own rules (not for the first time) the GNSO resolution will shortly be ICANN policy.

Some of the U.S.'s largest ISPs are seeking to make money off mistyped website names and instead created gaping security holes in the web's largest websites, including eBay, PayPal, Google and Yahoo, making it possible for hackers to turn any site on the net into a source of malware, a security researcher revealed Saturday.

The massive vulnerability introduced by Earthlink and Comcast was quietly and quickly patched on Friday, after IOActive security researcher Dan Kaminsky reported the vulnerability to Earthlink and its technology partner Barefruit.

In Memoriam: Oklahoma City - 19 April 1995

Air Force One Guidance Systems Allegedly Sent to Russia

State Department investigators found that a subsidiary of a major defense contractor provided portions of the computer source code of Air Force One to a company in Russia in 1998, according to a little-noticed consent agreement reached earlier this month.

The documents, filed by the State Department, noted that the alleged violation by a subsidiary of defense contractor Northrop Grumman "resulted in harm to the U.S. national security."

Specifically, the source code involved the inertial navigation software systems that are unique to the presidential aircraft.

The violations were allegedly committed by Litton Industries, which Northrop Grumman bought in 2001. Northrop has agreed to pay a $15 million fine for 110 violations of the Arms Export Control Act and the International Traffic in Arms Regulations.

Friday, April 18, 2008

Analysis: Chinese Spies in The West

China's intelligence agency has reinforced its infiltration activities in Europe, North America, Japan and Russia in recent years. An analysis of numerous cases leads to the conclusion that China has shifted its tactics in recruiting citizens of Western countries.

Beijing has abandoned the traditional approach of ideological persuasion, turning instead to the use of blackmail, women and money -- quite similar to the practices employed by the former Soviet Union's KGB and the former East German Intelligence Agency. A series of "massage salon" incidents involving Japanese diplomats in Beijing and Shanghai are typical examples.

University of Miami: 2.1 Million Medical Records 'Lost'

The University of Miami disclosed on Friday that one of its storage vendors lost a number of back-up tapes containing the personal information of more than two million patients.

The university, located in Coral Gables, Fla., said in a news release that the data includes names, Social Security numbers, addresses and health information for patients of University of Miami physicians or anyone who visited a university health facility since Jan. 1, 1999.

The university did not say how many individuals were affected, but the Miami Heraldreported on Friday that the total could be as high as 2.1 million people. The school did say that it planned to alert 47,000 patients whose credit card and other financial data were on the lost tapes.

Local: Police Track ATM Scammers

Police in Los Altos are still trying to track down a ring of scammers who robbed an estimated 80 people by stealing their bank card numbers and personal identification codes from a local Arco AM/PM gas station ATM in recent months.

At least four men are believed to have orchestrated an elaborate theft discovered last month, which some victims are just now discovering in their bank statements, said Los Altos police detective Wes Beveridge. He said the thieves rigged the ATM machine at the Arco at San Antonio Road and Loucks Avenue with a code-stealing device, and then downloaded customer information during the next few weeks, or possibly months.

Then, said Beveridge, the thieves created so-called "cloned" bank cards, and went on a spree withdrawing money from banks from San Francisco to Walnut Creek from March 15 to March 21. Beveridge declined to disclose how much money the thieves stole in total, saying that is still under investigation.

But in some cases, the thieves were able to withdraw thousands of dollars from a victim's account in one day, despite bank ATM daily withdrawal limits of $300 to $700.

Fusion Centers Suffer Information Overload

Dozens of state and local intelligence fusion centers operating nationwide are having difficulties juggling the multiple information systems that provide them with data, according to a new report [.pdf] from the Government Accountability Office.

Forty-three fusion centers were operational as of September and another 15 are in development. They have been created since the Sept. 11, 2001, terrorist attacks with a goal of advancing information-sharing among law enforcement authorities to improve domestic counterterrorism intelligence.

The centers are receiving federal assistance from the Homeland Security and Justice departments and from the Office of the Director of National Intelligence. They are being incorporated into the national Information-Sharing Environment established by Congress in the intelligence reform legislation.

But even with federal aid, the centers are having a hard time managing the inflows of data, the report said.

Community Bank: New Visa Cards In Mail After Hacking Incident

No Community Bank customers lost money when an Internet site they used to make purchases was attacked by a malicious computer program, prompting the overseas military bank to cancel 867 Visa banking cards last week.

The affected customers have been mailed a new bank card, according to Thomas LaRock, a spokesman with the Defense Finance and Accounting Service, which oversees the Defense Department’s contract with Bank of America and its Community Bank subsidiary.

Most of the customers were Germany-based, according to DFAS.

According to LaRock, the compromise apparently occurred when a malicious computer program targeted an online merchant with rapid-fire fake purchases. Once the purchases were authorized by the merchant, the perpetrator used the authorizations to trace back the information to the affected Visa cards.

Chinese Grad Student Charged in Criminal Case

An unusual criminal prosecution concerning a professor's assignment of a Chinese graduate student to work on an Air Force unmanned drone technology project is part of an ongoing federal crackdown on China's efforts to gain American technology through academic exchanges, business deals, and old-fashioned espionage, officials said.

The Justice Department's latest case, which originated at the University of Tennessee, is unprecedented, according to several analysts, because it rests on the notion that academic researchers effectively exported sensitive technical information by letting a foreign student have access to it.

Chinese Hackers Poised for 'Anti CNN' Attack on April 19 - UPDATE [2]

Chinese hackers appear to be readying for an attack on the West scheduled for April 19. It appears the basis of the attack is based on the recent, and very public, pro Tibet coverage in Western media organizations.

A Chinese site called Anti-CNN is setting out to counteract what it claims are the lies and distortion present in Western news coverage of stories concerning China and Chinese national interests. It is calling for street protests in Germany, France, the Netherlands, and the United Kingdom on the 19th of April (Beijing local time).

Customers Ticked Off Over Breach Notification

Consumers are mad as hell about corporate security breaches, and they aren't going to take it anymore. Well, about a third of them aren't, anyway.

Some 31 percent of customers who have been notified of the possible exposure of their personal information have terminated their relationship with the breached company, according to a study published earlier this week by the Ponemon Institute and security vendor ID Experts.

More than half of the respondents (55 percent) said they have been notified more than once over the last two years about a breach involving their personal data. Eight percent said they have received four notifications or more.

PayPal Plans to Ban Unsafe Browsers

PayPal, Inc., one of the brands most spoofed in phishing attacks, is working on a plan to block its users from making transactions from Web browsers that don't provide anti-phishing protection.

The eBay-owned company, which runs a Web-based payment system that allows the transfer of funds between bank accounts and credit cards, said browsers that do not have support for blocking identity theft-related Web sites or for EV SSL (Extended Validation) certificates are considered "unsafe" for financial transactions.

"In our view, letting users view the PayPal site on one of these browsers is equal to a car manufacturer allowing drivers to buy one of their vehicles without seat-belts," says PayPal Chief Information Security Officer Michael Barrett.

Phone Systems Hackers Hit Australian Businesses

At least one Australian company every day falls victim to telephone hackers, who rack up an average bill of $78,000, a national telephone security expert said yesterday.

But David Stevens, managing director of Telecoms Security, said most businesses did not realise how easy it was until too late.

Australian Federal Police last night confirmed they were working with their international counterparts to stop hackers hitting Australian businesses, after it was revealed that criminals had penetrated the phone systems of at least two Melbourne companies in recent weeks.

The scam is allegedly being carried out by overseas manufacturers of international phone cards commonly used by students and tourists to make cheap calls.

The card manufacturers are believed to then hack into unsuspecting company's phone systems, known as a private automatic branch exchange (PABX), so the calls made by card users get charged to unsuspecting victims of the scam.

eBay's Korean Unit Apologizes for Hacking Incident

U.S. auction giant eBay's Korean unit apologized Thursday for a hacking incident that lead to leaks of private information of more than 10 million users of its service.

Park Joo-man, president of Internet Auction, said in an e-mail apology sent to affected users that the hacking of its website in early February lead to the leaking of information of some 10,810,000 users as of its latest tally with the police.

The company, after a joint investigation with the police, said that more than 90 percent of the information outflow was of names, IDs and resident registration numbers. Credit card and passwords were not likely included in the leak, it added.

Feds Charge California Woman With Stealing IDs From the Dead

Federal prosecutors this week charged a Southern California woman with aggravated identity theft and other crimes for allegedly using a popular genealogy research website to locate people who had recently died, and then taking over their credit cards.

Tracy June Kirkland, 42, allegedly used Rootsweb.com to find the names, Social Security numbers and birth dates of people who, shall we say, had no further need for their consumer credit lines. She then "would randomly call various credit card companies to determine if the deceased individual had an … account," according to the 15-count indictment filed in federal court in Los Angeles Tuesday.

Rootsweb, run by Provo, Utah-based The Generations Network, is a genealogical research site offering a wealth of resources. One of them is free, up-to-date access to the Social Security Administration's Death Index, a list of people who have died, along with their birth dates and Social Security numbers.

Ironically, the government produces the monthly Death Index so that banks and other lenders can prevent people from applying for credit using a dead person's information -- the index is made public by the Department of Commerce under the Freedom of Information Act. The caper Kirkland's accused of mastering apparently exploits a loophole, by taking over accounts that are already open.

Lab for Testing Security of Top-Secret Wireless Systems Opens

Government defense and intelligence agencies have taken the wraps off a lab opened in the first quarter of this year for testing and evaluating wireless systems that transmit classified data.

The lab, developed by systems integrator Lockheed Martin, allows the agencies to test 802.11 Wi-Fi or broadband satellite links on a top-secret/sensitive compartmented information network.

The agencies will be able to test a broad spectrum of wireless networks, including Bluetooth, 802.16 WiMax, cell phones, and Ku- and C-band satellite communications. The lab is sealed and reinforced to ensure that signals from the systems stay within the chamber.

The Wireless Cyber Security Center, based in Hanover, Md., will allow agencies to define and evaluate wireless security strategies, policies and concepts of operation. The facility also will support projects to evaluate next-generation security technologies and assess vulnerabilities. Officials can also use the installation to evaluate mobile ad-hoc networks, which play an increasing role in battlefield communications.

Wednesday, April 16, 2008

U.S. Toll in Iraq

As of Wednesday, April 16, 2008, at least 4,036 members of the U.S. military have died since the beginning of the Iraq war in March 2003, according to an Associated Press count. The figure includes eight military civilians. At least 3,295 died as a result of hostile action, according to the military's numbers.

The AP count is three lower than the Defense Department's tally, last updated Wednesday at 10 a.m. EDT.

U.S. to Expand DNA Collection During Arrests, Detentions

The U.S. government will soon begin collecting DNA samples from all citizens arrested for any federal crime and many illegal immigrants detained by federal authorities, adding genetic identifiers from more than a million individuals a year to the swiftly growing federal law enforcement DNA database.

The new policy would substantially expand the current practice of routinely collecting DNA samples only from those convicted of federal crimes, although it would build on a growing policy of states to collect DNA from all those arrested. Thirteen states do so now, and turn their data over to the federal government.

The initiative, to be published as a proposed rule in the Federal Register in coming days, reflects a congressional directive that DNA from arrestees should be collected to help catch a range of domestic criminals. But it also requires collection for the first time of DNA samples from foreigners detained by U.S. authorities.

Security Experts Split on 'Cyber Terrorism' Threat

International experts called on Wednesday for greater cooperation to fight threats to computer networks but they differed on the definition of cyberterrorism, with a top British security official describing it as a "myth".

Estonian defense ministry official Christian-Marc Liflander said sustained electronic attacks on his country last year came both from crude hackers and from sophisticated "cyberterrorists" remotely manipulating zombie computers known as botnets.

"I would say we have entered an era of cyber terror and perhaps even of cyber war," Liflander told a London security conference at the Royal United Services Institute.

Estonia has said it believes the Russian government was behind last year's attacks, which came amid a diplomatic row over Tallinn's decision to relocate a Soviet-era war memorial.

But Liflander said the botnet attacks came from computers in 76 different countries and it was hard to prove who sponsored them. "What we have is just a gazillion IP (Internet Protocol) addresses that don't prove anything."

IG: DHS Need Cyber Security Coordination Office

The Homeland Security Department is moving too slowly to protect its most critical internal computer systems, according to a new report [.pdf] from the department’s inspector general, Richard Skinner.

The report recommends creating an office within DHS to determine protection priorities for its critical cyber infrastructure and coordinate efforts to protect those information technology assets.

Under Homeland Security Presidential Directive 7, federal agencies must identify critical cyber infrastructures, and DHS uses an enterprise tool to identify those systems. But there is no process in place to rank those systems to ensure that the high-risk ones are protected.

“DHS has not determined which of these high-risk systems must be given priority when allocating protection resources,” Skinner wrote.

Defenseless on The Net

During the Middle Ages walls became less of a barrier. Soldiers would simply set up a catapult-like device known as a trebuchet. This enabled them to fling hundred-pound projectiles and disease-conveying corpses over supposedly impenetrable fortifications. Never mind how competently the 12th century's security professionals routinely patched and updated their fortress exteriors, invaders got in.

Today, rapidly evolving cyber espionage threats, state-sponsored hackers, and other Internet miscreants are bounding over the best modern protections consumers, corporations, and governments can set up. The situation is providing a steady source of revenue—in the many billions of dollars—for the essential products and services of computer and network security firms.

Tuesday, April 15, 2008

Late Night Flashback: Quiet Riot - Metal Health (Bang Your Head)

U.S. Toll in Iraq

As of Tuesday, April 15, 2008, at least 4,034 members of the U.S. military have died since the beginning of the Iraq war in March 2003, according to an Associated Press count. The figure includes eight military civilians. At least 3,291 died as a result of hostile action, according to the military's numbers.

The AP count is one less than the Defense Department's tally, last updated Tuesday at 10 a.m. EDT.

Trucker Wrongly Placed on Watch-List Sues U.S

An Atlanta truck driver who says he lost his job after being wrongly placed on a U.S. terrorist watch-list is petitioning the Supreme Court for redress.

Bilal Mahmud was one of 29 truckers across the United States whose license to haul hazardous materials was withdrawn by the Transportation Security Administration in 2004, after the names of 2.7 million commercial drivers were run against U.S. terrorist watch-lists.

Mahmud appealed and his license was eventually restored by the TSA, but he says he lost his job and reputation and is still on the watch-list.

FBI Names Cyber Security Head for L.A. Division

The Federal Bureau of Investigation has named a new head of counterintelligence and cybersecurity for the agency's Los Angeles division.

FBI Director Robert Mueller announced the appointment of Keith Bolcar to the post. Bolcar, a more than 20-year FBI veteran, will replace Peter Brust, who officials say has retired, the FBI reported.

Bolcar has been involved with a long history of counter-terrorism investigations including the 1988 bombing of Pan Am Flight 103 over Lockerbie, Scotland. Officials say Bolcar has also served as a supervisor of the International Terrorism Operations Section of the FBI's Middle East Unit, Counter-terrorism Division where he worked on the FBI's Iraq program.

Bolcar has worked on investigations including the "bombing of Khobar Towers in Saudi Arabia and the bombings of the U.S. Embassies in Nairobi, Kenya and Dar es Salaam, Tanzania, in 1998. Mr. Bolcar also served as the supervisor of the squad responsible for the Washington Field Office's investigation of the Sept. 11 attacks," the release said.

New Zealand: Otago University in Hacker Probe

A hacker has sparked an email scandal at the University of Otago, breaking into its computer system and sending out hundreds of private messages allegedly written by a department head.

The university, which has kept the issue out of the public arena since it happened last month, has reported the matter to police.

The university's pro-vice-chancellor of sciences, Professor Vernon Squire, said in a March 8 message he sent to all the recipients that the emails were an attempt to discredit the dean of Otago's School of Surveying, Professor Brent Hall, and that a further stream of emails was threatened.

When contacted by The Press last night, Hall said: "I have no comment to make on that."

On March 6, dozens of emails were sent to all University of Otago staff, other university addresses and further afield, copying what hackers claimed were private emails exchanged by Hall and dated between September and mid-February.

Monday, April 14, 2008

EFF Issues Report on Abuse of National Security Letters

Today, EFF published a report on the misuse of a National Security Letter to seek educational records from North Carolina State University at Raleigh in 2005. The NSL authority does not allow the government to seek educational records.

The detailed report stems from EFF's Freedom of Information Act request for records about NSL abuse. FBI documents show that, over the span of three days in July 2005, the Charlotte Division of the FBI first obtained educational records pursuant to a grand jury subpoena, and then -- at the direction of FBIHQ -- returned the records and sought them again pursuant to an improper NSL.

The improper NSL was refused by the university, but the FBI finally obtained them pursuant to a second grand jury subpoena. Later in July 2005, FBI Director Robert Mueller used the delay in obtaining these particular records as an example of why the FBI needed administrative subpoena power instead of NSLs in testimony.

U.S. Lawmakers Want FBI Access to Data Curbed

Bipartisan groups in Congress are pressing to place new controls on the FBI's ability to demand troves of sensitive personal information from telephone providers and credit card companies, over the opposition of agency officials who say they deserve more time to clean up past abuses.

Proposals to rein in the use of secret "national security letters" will be discussed over the next week at hearings in both chambers. The hearings stem from disclosures that the FBI had clandestinely gathered telephone, e-mail and financial records "sought for" or "relevant to" terrorism or intelligence activities without following appropriate procedures.

The Justice Department's inspector general issued reports in 2007 and earlier this year citing repeated breaches. They included shoddy FBI paperwork, improper claims about nonexistent emergencies and an insufficient link between the data requests and ongoing national security probes.

"It is clear that the NSL authority is too overbroad and operates unchecked," said Rep. Jerrold Nadler (D-N.Y.), a co-sponsor of the House bill. "We must give our law enforcement the tools they need to protect us, but any such powers must be consistent with the rule of law."

Criminals Hack CEOs with Fake Subpoenas

Panos Anastassiadis didn't click on the fake subpoena that popped into his inbox on Monday morning, but he runs a computer security company. Others were not so lucky.

In fact, security researchers say that thousands have fallen victim to an e-mail scam in which senior managers such as Anastassiadis are told that they have been sued in federal court and must click on a Web link to download court documents. Victims of the crime are taken to a phony Web site where they are told they need to install browser plug-in software to view the documents. That software gives the criminals access to the victim's computer.

This type of targeted e-mail attack, called "spear-phishing," is a variation on the more common "phishing" attack. Both attacks use fake e-mail messages to try to lure victims to malicious Web sites, but with spear-phishing the attackers try to make their messages more believable by including information tailored to the victim.

Russian SU Domain Registry Snubs ICANN

ICANN is still attempting to delete the obsolete SU (Soviet Union) extension but having little success. While they have managed to decommission the .YU (Yogoslavia) extension successfully last year, they are finding rebellion among Russian webmasters, ISPs and the Registry itself.

To summerise the dispute so far, September saw ICANN release a statement urging “the current .SU operators to make it clear to the .SU registrants the issues surrounding the domain, as well as to freeze new registrations until its future is clear”.

In response, the .SU Registry announced an 80% price cut to the .SU domain, bringing it into line with .RU (Russia) pricing and the proposed launch of an IDN (international) version of the domain extension. Not exactly the reaction ICANN must have been hoping for.

Newspapers Argue For First Amendment Right to Snoop on Readers

Usually, when people talk about the trade offs between privacy and freedom of the press, the argument is about whether the public has the right to know some fact about an individual’s personal life.

The newspaper industry is now arguing that the First Amendment protects its right to follow users around the Internet so it can charge higher prices on advertising.

This argument was made in a filing by Newspaper Association of America commenting on the Federal Trade Commission’s proposal that the companies involved in advertising that uses what is called behavioral targeting create a self-regulatory code that limits their use of sensitive information.

Two security experts from Microsoft and Hewlett Packard have warned against "premature AJAXulation" - the practice of using quick fixes to turn existing software in into Rich Internet Application wonders - saying these are architecturally flawed.

Microsoft security program manager Bryan Sullivan, during a joint session called Ajax Applications: A Blueprint for Disaster, told RSA: "People talk about sexy new Web 2.0 attacks. What's going to break the internet are these old Web 1.0 attacks like SQL injection, which works well against Web 2.0 applications. They are more efficient and more effective."

Starts & Stripes Online Hit in Cyber Attack

Stripes.com, the Web version of the armed services independent daily newspaper Stars & Stripes, is warning readers who visited its site on April 12 that their computers may have been infected with a virus originating with an automated cyber attack last month.

“The problem on the Stripes site has been resolved,” the site states in a notice on its homepage April 14. “ Users who tried to visit the site between midnight and 9 a.m. on Saturday Eastern time, or experienced any difficulties accessing stripes.com in the past couple of days, are encouraged to update and run their anti-virus scan programs.”

According to the site, the hacking of Stripes.com may have been related to an automated cyber attack in March that “compromised more than 10,000 web pages, including everyday destinations such as travel, government and hobby sites.”

Man Who Found Software Bugs On Trial In Germany For Extortion

A computer expert from Turkey who discovered bugs in US software went on trial in Germany Monday for attempted extortion after he demanded payment to explain the security flaws.

The trial in the German city of Braunschweig highlights the shadowy trade in 'exploits,' in which companies pay freelance programmers bounties to reveal software flaws before criminal hackers discover them.

The man, 29, demanded a total of 167,000 dollars from a US internet service provider and a telephone company, prosecutors said.

To step up the pressure on his 'clients,' he broke into their computer systems and altered customer data to demonstrate the exploit, prosecutors claim.

The US Federal Bureau of Investigation (FBI) traced him to Germany, where he was arrested.